Feeds

Airline security critic raided by Feds

Don't even joke about it

5 things you didn’t know about cloud backup

Indiana University graduate student Christopher Soghoian pointed out a flaw in airline security by posting a fake boarding pass generator online, and was rewarded with a visit from FBI agents with a search warrant.

The FBI raided his residence on Saturday, only days after the student posted a PHP script enabling anyone to print a boarding pass for Northwest Airlines.

It's unlikely that a fake pass would enable someone to board a flight they hadn't paid for, but it would suffice to get one into the "secure" area of an airport. Soghoian's example passes would fail at the gate when read electronically. Still, they would likely not be challenged until that point.

The trick involved is not new; indeed, it was publicised by Slate magazine in February 2005. Creating a script enabling any fool to generate a pass was Soghoian's contribution.

The Feds apparently considered this to be going a step further than providing information that's already available, and interpreted it as encouraging bad behaviour, even though Soghoian was clear about the fact that his example passes would not enable one to fly for free. They only demonstrated how easily people on the no-fly lists could find themselves wandering about an airport, if, for example, they were too lazy to get an ID and credit card issued under a different name.

Which brings us to the observation that, yes, airport security is crap, just as Soghoian's pass generator and the Slate article illustrate, and no, it really doesn't matter if people can print their own boarding passes, and even edit them.

In the five years since 9/11, the TSA has failed to catch a single terrorist, and it isn't because they're printing boarding passes. It's because the entire idea of setting up checkpoints at widely-publicised locations and waiting for terrorists to turn up and get caught is idiotic. Those who might be recognised visually aren't flying commercially.

The rest are simply declining to participate as well, or are travelling with authentic, government-issued passports and working credit cards obtained fraudulently - which is hardly more challenging than editing a boarding pass, but pays far better dividends, like actually being permitted to travel.

We note that US Representative Edward Markey (Democrat, Massachusetts) overreacted wildly to news of Soghoian's pass generator and called for his immediate arrest.

"The Bush Administration must immediately act to investigate, apprehend those responsible, shut down the website, and warn airlines and aviation security officials to be on the look-out for fraudsters or terrorists trying to use fake boarding passes in an attempt to cheat their way through security and onto a plane," Markey exclaimed.

He later retracted that bit of political theatre: "Subsequently, I learned that the person responsible...intended to provide a public service by warning that this long-standing loophole could be easily exploited." Markey concluded that: "The Department of Homeland Security should put [Soghoian] to work showing public officials how easily our security can be compromised."

Markey is a member of the House Homeland Security Committee. With the midterm elections approaching, he's naturally eager to show the world that Democrats are just as security-savvy as Republicans claim to be. But he gets it wrong both times. He overstates the risk in the first place, and in the second place overestimates Soghoian's "contribution" to airline security in pointing out a minor flaw that's been known for years.

But so long as security remains a political football, this is the sort of rubbish we will have to listen to (The Register does commend Markey for not waiting until after the election to issue the retraction, as many others in his position would have done).

The homemade boarding pass is no big deal. The risk is minor, and it's mitigated somewhat by the fact that the passes issued by the airlines at check in, where ID is required, look different. This is by design, to give the TSA an opportunity to exercise a bit more care when screening passengers in possession of boarding passes obtained otherwise.

And yes, it would not be terribly difficult to make a facsimile of an airline-issued pass to escape extra scrutiny, but we have to point out that the real threat is undesirable travellers with false identities, proffering authentic travel documents. That's the right way to beat the system, and it's easy. No terrorist worth his salt is going to waste time Photoshopping boarding passes.

In the movies, the scoundrels always have a guy who does counterfeit passports. He's always eccentric, and strangely heliophobic for someone who does close work, but he's invariably a world-class artist. The counterfeits cost thousands of dollars and take several days.

In the real world, with a fake birth certificate, you can get a genuine passport in 24 hours for less than $200. Of course, movies wouldn't be as much fun if we kept that in mind. But when we're doing security, it's wise to remain clear on the differences between Hollywood and reality.

Meanwhile, we hope that Soghoian isn't destined to spend several years in prison for pointing out a security flaw that, ultimately, is irrelevant. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Facebook, Google and Instagram 'worse than drugs' says Miley Cyrus
Italian boffins agree with popette's theory that haters are the real wrecking balls
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.